[HN Gopher] Lastpass Security Incident
___________________________________________________________________
Lastpass Security Incident
Author : bartkappenburg
Score : 42 points
Date : 2022-11-30 20:03 UTC (2 hours ago)
(HTM) web link (blog.lastpass.com)
(TXT) w3m dump (blog.lastpass.com)
| bnmathm wrote:
| > We have determined that an unauthorized party, using
| information obtained in the August 2022 incident, was able to
| gain access to certain elements of our customers' information.
| Our customers' passwords remain safely encrypted due to
| LastPass's Zero Knowledge architecture.
|
| Sure sounds like they found passwords or keys in the development
| environment breach back in August, and nobody bothered to change
| those after knowing they were hacked.
| teg4n_ wrote:
| Lastpass has had so many security incidents I have no idea why
| anyone uses it anymore when the whole product is supposed to be
| Security.
| celestialcheese wrote:
| > was able to gain access to certain elements of our customers'
| information
|
| This is frustratingly vague. This incident started 4 months ago,
| and you can't provide any details?
|
| If it wasn't such a PITA to move off LastPass, I would do so.
| They got me.
| snailmailman wrote:
| How is it a PITA to move off lastpass? I switched to Bitwarden
| and it was a piece of cake. Exported all passwords. Imported
| all passwords. Pretty much all password managers can
| import/export as a CSV or similar.
| archi42 wrote:
| Moving to vaultwarden (the open bitwarden server
| implementation) was also really easy. Just installed the
| package in Arch, setup the vhost in nginx, put the vhost into
| my local DNS and slightly adjusted the vaultwarden config
| file. Now I use bitwarden clients everywhere and point them
| to my server.
|
| Since I don't feel 100% comfortable having my self hosted
| things on a public IP, I put it only on my LAN. For remote
| access (e.g. phone) I use wireguard.
| celestialcheese wrote:
| It's easy if you don't share passwords with others. I have my
| whole family and business using it, and there's lots of
| shared folders.
|
| Convincing my wife and colleagues to all switch
| simultaneously isn't feasible unless this data fiasco gets
| worse.
| ragingroosevelt wrote:
| I tried migrating from LP to BW and got import errors.
| Bitwarden's error message was very vague (along the lines of
| "sorry, something went wrong") and I haven't been able to
| track down what entries were causing the issue. I've tried 3
| or 4 times including trying to reproduce with subsets of the
| full collection but it's too much of a pain with hundreds of
| accounts and I so far haven't been motivated enough to
| manually transfer them or to write a selenium script to do it
| automatically.
| musk_micropenis wrote:
| > If it wasn't such a PITA to move off LastPass,
|
| It's really not. As the quality of their software declined
| severely starting around 4-5 years ago, I put off moving
| because I assumed it would be a huge hassle. It turned out to
| be surprisingly easy. I have since deleted my LastPass account
| and wouldn't trust that company to mop my floors.
| skittleson wrote:
| I did it over the course of a few months. My choice was keepass
| since is opensource, battled test, and works everywhere as if
| it was lastpass.
| rkagerer wrote:
| How smooth is the hotkey autofill experience? Does it
| identify websites and fill out login forms properly? (I
| prefer not to rely on sites' "remember me" boxes or ephemeral
| cookies).
|
| Any compatible Android app?
| reiichiroh wrote:
| Ruh Roh
___________________________________________________________________
(page generated 2022-11-30 23:02 UTC)